Would really like to hear from anyone who is successfully running Shorewall 3 on FC4 in a multiple ISP configuration. What kernel and iptables are you running? Are they out-of-the-box or patched? It mostly works for me - the exception being incoming connections. Outgoing stuff works Ok. No user supplied tcrules, balance and track specified on both provider links. I can connect to the firewall host from both ISPs, but I can''t get through the firewall to internal (1-1 NATed) hosts from the 2nd ISP. No problem getting through the firewall host to internal (also 1-1 NATed) hosts from the 1st ISP. (The distinction between ''1st'' and ''2nd'' ISP is puzzling.) I have Shorewall logging everything that it drops or rejects but nothing is getting logged. Maybe I should be logging what it accepts to verify that packets are at least getting through I''m hoping that someone can confirm that it is possible to make this work before I start looking for a solution. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 15 March 2006 17:04, taso wrote:> Would really like to hear from anyone who is successfully running Shorewall > 3 on FC4 in a multiple ISP configuration. > > What kernel and iptables are you running? > Are they out-of-the-box or patched? > > It mostly works for me - the exception being incoming connections. > > Outgoing stuff works Ok. No user supplied tcrules, balance and track > specified on both provider links. > > I can connect to the firewall host from both ISPs, but I can''t get through > the firewall to internal (1-1 NATed) hosts from the 2nd ISP. No problem > getting through the firewall host to internal (also 1-1 NATed) hosts from > the 1st ISP. (The distinction between ''1st'' and ''2nd'' ISP is puzzling.) >I would have thought that the very term "one-to-one" would have clued you to the fact that you can only have one "one-to-one" mapping for any internal IP address. Apparently, that subtlety escaped you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>> >> I can connect to the firewall host from both ISPs, but I can''t get through >> the firewall to internal (1-1 NATed) hosts from the 2nd ISP. No problem >> getting through the firewall host to internal (also 1-1 NATed) hosts from >> the 1st ISP. (The distinction between ''1st'' and ''2nd'' ISP is puzzling.) >> > > I would have thought that the very term "one-to-one" would have clued you to > the fact that you can only have one "one-to-one" mapping for any internal IP > address. Apparently, that subtlety escaped you. >I''m so busy doing things that I don''t have time to think :). I did make the mistake of pointing 2 external IP address to 1 internal address, but not for long. The symptoms I describe are present with 1-1 NAT, there are no 1-many or many-1 constructs (the public IP used for masquerading is does not appear in the nat file.) I have a small window for testing so I tend to just restart Shorewall rather than everything after a change, even though I am never sure which action is appropriate for given change. Me thinks the next test window should begin with a full restart. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
It seems there is no ''tracking'' going on. For example, a ping packet comes in on one interface but the reply leaves out of the other interface. Same behaviour on TCP connections, SYN packet comes in on one interface SYN,ACK leaves out of the other. The routing rule table looks Ok. The routing tables look Ok. It is as if the packets are not marked. iptables-1.3.0-2 shorewall-3.0.5-1.fc4 kernel-2.6.15-1.1833_FC4 I''m open to suggestions. TIA ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
taso wrote:> > It seems there is no ''tracking'' going on. > For example, a ping packet comes in on one interface but the reply > leaves out of the other interface. > Same behaviour on TCP connections, SYN packet comes in on one interface > SYN,ACK leaves out of the other. > > > The routing rule table looks Ok. > The routing tables look Ok. > It is as if the packets are not marked. >Forget the above drivel and apologies for wasting anyone''s time. From now on I will never post until anything until I have had enough sleep first :) ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 16 March 2006 02:35, taso wrote:> It seems there is no ''tracking'' going on. > For example, a ping packet comes in on one interface but the reply leaves > out of the other interface. Same behaviour on TCP connections, SYN packet > comes in on one interface SYN,ACK leaves out of the other. > > > The routing rule table looks Ok. > The routing tables look Ok. > It is as if the packets are not marked. > > > iptables-1.3.0-2 > shorewall-3.0.5-1.fc4 > kernel-2.6.15-1.1833_FC4 > > > I''m open to suggestions.Are the interfaces connected to the same hub/switch? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key